mysql> show tables;+----------------------+| Tables_in_openlab |+----------------------+| MatchedLogRecDetails | | emp_14 | | logs | | logs_day_report | | logs_month_report | | logs_year_report | | s_emp | | s_emp13 | | s_emp_14 | | s_emp_39 | | s_emp_hz100521 | | s_emp_jlh | | s_user | | s_user_39 | | s_user_hz100521 | | s_user_jlh | | student | | student_jlh | | user_14 | | xu_users | +----------------------+20 rows in set (0.01 sec)mysql> select * from s_user;+----+----------+----------+| id | username | password |+----+----------+----------+| 0 | jack | 123456 | | 1 | shery | 123456 | | 2 | lianghao | lianghao | | 5 | dengtao | 123456 | | 6 | chunzi | 123456 | +----+----------+----------+5 rows in set (0.01 sec)mysql> select * from s_user where username='jack' and password='dfsf'or'1'='1';+----+----------+----------+| id | username | password |+----+----------+----------+| 0 | jack | 123456 | | 1 | shery | 123456 | | 2 | lianghao | lianghao | | 5 | dengtao | 123456 | | 6 | chunzi | 123456 | +----+----------+----------+5 rows in set (0.00 sec)mysql> select * from s_user where username='jack';+----+----------+----------+| id | username | password |+----+----------+----------+| 0 | jack | 123456 | +----+----------+----------+1 row in set (0.00 sec)mysql> select * from s_user where username='jack' and password='dfsf';Empty set (0.00 sec)mysql> edit -> ;//select * from s_user where username='jack' and password='dfs'or'1'='1';+----+----------+----------+| id | username | password |+----+----------+----------+| 0 | jack | 123456 | | 1 | shery | 123456 | | 2 | lianghao | lianghao | | 5 | dengtao | 123456 | | 6 | chunzi | 123456 | +----+----------+----------+5 rows in set (0.00 sec)mysql> edit -> ;//select * from s_user where username='jack' and password='dfs'and'1'='1';Empty set (0.00 sec)
引用
总结:jljl'or'1'='1 为固定格式:若关键字为and 那么条件所引用的列为一个值显然不符合
数据库一范式。or在这里表示为或者,同时1=1条件恒为true,但是查询的结果会忽视前面的条件,而返回显示所有记录。说白了sql注入就是用单引号来使sql关键字生效,使用表达式
返回一个true,然而数据库就默认为这个查询的条件为正常且合法的。哎,理解的不是很透彻,以后学的深了在改改。